CVE-2015-8371Insufficient Verification of Data Authenticity in Composer

CWE-345Insufficient Verification of Data Authenticity6 documents5 sources
Severity
8.8HIGHNVD
EPSS
0.9%
top 24.38%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
ComposerGetcomposer Composer
Timeline
PublishedSep 21

Description

Composer before 2016-02-10 allows cache poisoning from other projects built on the same host. This results in attacker-controlled code entering a server-side build process. The issue occurs because of the way that dist packages are cached. The cache key is derived from the package name, the dist type, and certain other data from the package repository (which may simply be a commit hash, and thus can be found by an attacker). Versions through 1.0.0-alpha11 are affected, and 1.0.0 is unaffected.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

Packagistcomposer/composer< 1.0.0
Debiancomposer/composer< 1.0.0~alpha11-3+3

🔴Vulnerability Details

4
OSV
CVE-2015-8371: Composer before 2016-02-10 allows cache poisoning from other projects built on the same host2023-09-21
OSV
Composer allows cache poisoning from other projects built on the same host2023-09-21
GHSA
Composer allows cache poisoning from other projects built on the same host2023-09-21
CVEList
CVE-2015-8371: Composer before 2016-02-10 allows cache poisoning from other projects built on the same host2023-09-21

📋Vendor Advisories

1
Debian
CVE-2015-8371: composer - Composer before 2016-02-10 allows cache poisoning from other projects built on t...2015
CVE-2015-8371 — Composer vulnerability | cvebase